CVE-2026-54100 Overview
CVE-2026-54100 is a missing certificate validation flaw [CWE-295] in the Windows Machine Config Operator (WMCO) for Red Hat OpenShift Container Platform. WMCO establishes Secure Shell (SSH) connections to Windows worker nodes without verifying the remote server host key. An attacker positioned on an adjacent network can intercept or redirect the WMCO SSH session and capture Windows Instance Config Daemon (WICD) and kubelet bootstrap credentials transferred during node configuration. Successful interception enables compromise of Windows node identities within the OpenShift cluster. The vulnerability carries an adjacent-network attack vector with high impact to confidentiality, integrity, and availability, and a scope change because compromised credentials extend control beyond the SSH session itself.
Critical Impact
An adjacent-network attacker can perform a machine-in-the-middle attack against WMCO SSH sessions and steal WICD and kubelet bootstrap credentials, allowing impersonation of Windows worker nodes in the OpenShift cluster.
Affected Products
- Red Hat OpenShift Container Platform — Windows Machine Config Operator (WMCO)
- Windows worker nodes managed by WMCO
- OpenShift clusters using WMCO for Windows node bootstrap and configuration
Discovery Timeline
- 2026-06-22 - CVE-2026-54100 published to the National Vulnerability Database
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-54100
Vulnerability Analysis
WMCO automates the lifecycle of Windows worker nodes in OpenShift. During node configuration, WMCO opens an SSH channel to each Windows machine to transfer files, run commands, and provision the WICD and kubelet bootstrap credentials. The SSH client implementation inside WMCO does not validate the host key presented by the Windows node, so any server responding on the expected address is accepted as authentic. This breaks the trust assumption that SSH provides and exposes every bootstrap session to interception.
An attacker on an adjacent network segment — for example, the management network shared with the OpenShift control plane and worker subnets — can use ARP spoofing, DHCP manipulation, or routing tricks to position a rogue endpoint between WMCO and the real Windows node. The rogue endpoint completes the SSH handshake, receives the credentials, and can forward traffic to maintain stealth. Captured credentials then allow the attacker to register as a legitimate Windows node, run workloads, and access cluster secrets reachable from that identity.
Root Cause
The root cause is improper certificate and key validation [CWE-295] in the SSH client logic used by WMCO. The client accepts unknown or changed host keys instead of pinning them against a trusted known_hosts store or verifying them through a certificate authority. The absence of trust-on-first-use enforcement or pre-provisioned host keys removes the only cryptographic check that distinguishes a real Windows node from an impostor.
Attack Vector
Exploitation requires adjacent-network access and an active interception primitive. The attacker waits for WMCO to initiate a bootstrap or reconfiguration SSH session, redirects the TCP flow to attacker-controlled infrastructure, and presents an arbitrary SSH server. WMCO completes authentication, transfers WICD and kubelet bootstrap secrets, and the attacker captures them in cleartext relative to the legitimate node. Attack complexity is high because the attacker must time the interception with a WMCO provisioning action, but no privileges or user interaction are required.
No public proof-of-concept exploit is currently available. See the Red Hat CVE-2026-54100 Advisory and Red Hat Bug Report #2487953 for vendor technical details.
Detection Methods for CVE-2026-54100
Indicators of Compromise
- Unexpected ARP table changes or duplicate MAC addresses on subnets carrying WMCO-to-Windows-node SSH traffic.
- SSH host key changes on Windows nodes that do not correspond to a scheduled rebuild or reimage operation.
- Windows node CertificateSigningRequest objects or kubelet client certificates issued from source IPs that do not match expected node addresses.
- Authentication events from WICD or kubelet identities originating outside the documented Windows node IP ranges.
Detection Strategies
- Inspect WMCO operator logs for SSH connections to hosts whose fingerprints differ from a known baseline, and alert on any host key mismatch warnings.
- Correlate Kubernetes audit logs with network flow telemetry to identify node registrations that follow anomalous SSH sessions to the WMCO pod.
- Run periodic SSH fingerprint sweeps of Windows worker nodes from a trusted bastion and compare results to a signed inventory.
- Monitor for newly issued kubelet bootstrap tokens being used from unexpected source addresses or outside provisioning windows.
Monitoring Recommendations
- Forward OpenShift audit logs, WMCO container logs, and Windows node Event Logs to a centralized data lake for cross-source correlation.
- Enable network flow logging (VPC flow logs, NSG flow logs, or on-prem sensor data) on subnets used by WMCO and Windows nodes.
- Track WMCO controller reconciliation events and alert when bootstrap operations occur outside maintenance windows.
- Baseline expected SSH host keys for all Windows nodes and trigger detections on any deviation.
How to Mitigate CVE-2026-54100
Immediate Actions Required
- Apply the WMCO update referenced in the Red Hat CVE-2026-54100 Advisory once available for your OpenShift Container Platform release.
- Rotate any WICD and kubelet bootstrap credentials issued before the patch is applied, and revoke client certificates tied to affected Windows nodes.
- Restrict access to the network segments carrying WMCO-to-node SSH traffic so that only authorized control plane components can communicate with Windows nodes.
- Audit existing Windows node identities in the cluster and remove any nodes that cannot be matched to a current, trusted machine.
Patch Information
Red Hat tracks remediation under the advisory linked in Red Hat CVE-2026-54100 Advisory and Red Hat Bug Report #2487953. The fix enforces host key verification in the WMCO SSH client so that connections to unknown or changed Windows hosts are rejected. Apply the fixed WMCO operator version through the OpenShift OperatorHub once Red Hat publishes the patched build for your channel.
Workarounds
- Isolate WMCO traffic to Windows nodes on a dedicated management VLAN or software-defined network segment with strict layer-2 controls to limit adjacent-network interception.
- Enforce static ARP entries or DHCP snooping on switches that carry WMCO and Windows node traffic to reduce machine-in-the-middle opportunities.
- Limit WMCO provisioning operations to defined maintenance windows and monitor closely during those windows for anomalous SSH or network activity.
- Rotate Windows node bootstrap credentials frequently to shorten the validity window of any credentials that may have been captured.
# Configuration example: identify the running WMCO version and review SSH-related events
oc get csv -n openshift-windows-machine-config-operator \
-o jsonpath='{.items[?(@.spec.displayName=="Windows Machine Config Operator")].spec.version}'
oc logs -n openshift-windows-machine-config-operator \
deployment/windows-machine-config-operator | grep -Ei 'ssh|host key|fingerprint'
# After patching, restart the operator to ensure the new SSH client logic is loaded
oc rollout restart deployment/windows-machine-config-operator \
-n openshift-windows-machine-config-operator
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

